Hello all:
I’d like to know if Geoserver gives the choice of publishing a layer resource in WMS only.
I need to prevent the use of WFS from downloading certain layers that should be restricted.
Is there a way to do that?
WMS in all layers
WFS in all except some layers.
Thanks in advance.
On Mon, Mar 11, 2013 at 4:37 PM, Ivan Santiago <isantiago@anonymised.com> wrote:
Hello all:
I’d like to know if Geoserver gives the choice of publishing a layer resource in WMS only.
There are no per layer checks, but you can disable the WFS completely if you want
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Hi Ivan,
As Andrea indicated: you can completely disable WFS services on GeoServer.
Or, you can set up user-based authentication on per layer basis for WMS and
WFS. Say, you could publish layer A as WMS and then set a password for layer
A for WFS. By doing so, you disable the access of WFS on layer A to all
anonymous users.
Guan
_____
From: Andrea Aime [mailto:andrea.aime@anonymised.com]
Sent: Monday, March 11, 2013 3:12 PM
To: Ivan Santiago
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Enabling only WMS on selected layers
On Mon, Mar 11, 2013 at 4:37 PM, Ivan Santiago <isantiago@anonymised.com> wrote:
Hello all:
I'd like to know if Geoserver gives the choice of publishing a layer
resource in WMS only.
There are no per layer checks, but you can disable the WFS completely if you
want
Cheers
Andrea
--
==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://twitter.com/geosolutions_it
-------------------------------------------------------
On Mon, Mar 11, 2013 at 8:23 PM, Guan Wang <gwang@anonymised.com> wrote:
Or, you can set up user-based authentication on per layer basis for WMS and WFS. Say, you could publish layer A as WMS and then set a password for layer A for WFS. By doing so, you disable the access of WFS on layer A to all anonymous users.
That unfortunately it’s not possible using the build-in security subsystem of GeoServer, it requires a way to express a security rule that involves at the same time layer and service.
There are two security plugins that can do that, one is publicly available, GeoShield, but it hasn’t reached the 1.0 release level and I haven’t seen any news in a long while (https://sites.google.com/site/geoshieldproject/home/news). The other is called GeoFence (formerly GeoRepository) and has been offered so far
as a bonus in GeoServer commercial support contracts (http://geo-solutions.blogspot.it/2011/05/preview-georepository-advanced.html)
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Hi,
Andrea, could you please elaborate a bit on "it requires a way to express a
security rule that involves at the same time layer and service"?
Ivan, another option you may have is to take advantage of whatever your
proxy servers (if you use any), such as apache, nginx could offer and see if
you could disable wfs on a layer by its url pattern, etc.
Guan
_____
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of
Andrea Aime
Sent: Monday, March 11, 2013 3:31 PM
To: gwang@anonymised.com
Cc: Ivan Santiago; geoserver-users@lists.sourceforge.net; Simone
Giannecchini
Subject: Re: [Geoserver-users] Enabling only WMS on selected layers
On Mon, Mar 11, 2013 at 8:23 PM, Guan Wang <gwang@anonymised.com> wrote:
Or, you can set up user-based authentication on per layer basis for WMS and
WFS. Say, you could publish layer A as WMS and then set a password for layer
A for WFS. By doing so, you disable the access of WFS on layer A to all
anonymous users.
That unfortunately it's not possible using the build-in security subsystem
of GeoServer, it requires a way to express a security rule that involves at
the same time layer and service.
There are two security plugins that can do that, one is publicly available,
GeoShield, but it hasn't reached the 1.0 release level and I haven't seen
any news in a long while
(https://sites.google.com/site/geoshieldproject/home/news). The other is
called GeoFence (formerly GeoRepository) and has been offered so far
as a bonus in GeoServer commercial support contracts
(http://geo-solutions.blogspot.it/2011/05/preview-georepository-advanced.htm
l)
Cheers
Andrea
--
==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://twitter.com/geosolutions_it
-------------------------------------------------------
Thanks for your kind suggestions.
Sent from my Windows Phone
________________________________
From: Guan Wang
Sent: 3/11/2013 15:48
To: 'Andrea Aime'
Cc: Ivan Santiago; geoserver-users@lists.sourceforge.net; 'Simone Giannecchini'
Subject: RE: [Geoserver-users] Enabling only WMS on selected layers
Hi,
Andrea, could you please elaborate a bit on “it requires a way to express a security rule that involves at the same time layer and service”?
Ivan, another option you may have is to take advantage of whatever your proxy servers (if you use any), such as apache, nginx could offer and see if you could disable wfs on a layer by its url pattern, etc.
Guan
________________________________
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: Monday, March 11, 2013 3:31 PM
To: gwang@anonymised.com
Cc: Ivan Santiago; geoserver-users@lists.sourceforge.net; Simone Giannecchini
Subject: Re: [Geoserver-users] Enabling only WMS on selected layers
On Mon, Mar 11, 2013 at 8:23 PM, Guan Wang <gwang@anonymised.com<mailto:gwang@anonymised.com.609…>> wrote:
Or, you can set up user-based authentication on per layer basis for WMS and WFS. Say, you could publish layer A as WMS and then set a password for layer A for WFS. By doing so, you disable the access of WFS on layer A to all anonymous users.
That unfortunately it's not possible using the build-in security subsystem of GeoServer, it requires a way to express a security rule that involves at the same time layer and service.
There are two security plugins that can do that, one is publicly available, GeoShield, but it hasn't reached the 1.0 release level and I haven't seen any news in a long while (https://sites.google.com/site/geoshieldproject/home/news). The other is called GeoFence (formerly GeoRepository) and has been offered so far
as a bonus in GeoServer commercial support contracts (http://geo-solutions.blogspot.it/2011/05/preview-georepository-advanced.html)
Cheers
Andrea
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
I would look hard at using proxy service (ie block access to geoserver except through proxy). The advantage of this, is that you could manipulate WFS requests within the proxy - allowing say getFeature with maxFeatures set while disabling say shapefile download or limiting the attributes served.
Notice: This email and any attachments are confidential. If received in error please destroy and immediately notify us. Do not copy or disclose the contents.
Stephen V. Mather
GIS Manager
(216) 635-3243 (Work)
clevelandmetroparks.com
On 03/11/13 16:37, Ivan Santiago wrote:
Hello all:
I’d like to know if Geoserver gives the choice of publishing a layer
resource in WMS only.I need to prevent the use of WFS from downloading certain layers that
should be restricted.Is there a way to do that?
WMS in all layers
WFS in all except some layers.
I think you can do that using workspaces and virtual services.
Disable the WFS for the global endpoint, create two workspaces, one
'public' with the layers you want fully published, and one 'restricted'
for the layers you want to restrict, then disable the WFS for the
latter. Use the specific endpoints to access wfs (ie
http://fqdn/geoserver/public/wfs).
At least that's what i gathered from tinkering with the security
subsystem. Not 100% sure, but that's the way to go, since there's no
per-layer acl for services.
--
Landry Breuil
Mouton a 5 pattes du CRAIG
On Mon, Mar 11, 2013 at 8:50 PM, Guan Wang <gwang@anonymised.com> wrote:
Hi,
Andrea, could you please elaborate a bit on “it requires a way to express a security rule that involves at the same time layer and service”?
The rule needed in this case is “hide layer x if the service accessing it is WFS”, so, “a rule that involves at the same time layer and service”.
The built-in security subsystem can only make assertions such as “make the wfs accessible only to users with a certain role” (but for all the layers),
or “make this layer accessible read only to users with a certain role” (but for all the services), you cannot express a rule that needs to
involve both layer and service.
This is not a “built-in” limitation, the security framework can do much more, and both GeoShield and GeoFence leverage that
to apply more complex rules, such the ones that are discussed here, it’s just that the upper level built in GeoServer (GUI, rule
storage) are old and can do only so much.
About using proxies… I’ve made my opinion on the subject clear in the PDF document, which was written from a theoretical
standpoint, but when GeoShield moved from being a proxy to integrating directly in the GeoServer security framework
they had quite a speedup (the single OGC request became between 2 and 7 times faster, with the secured request
still being between 2 and 4 times faster than a GeoServer without any security plugin applied… if you use the simple built-in
rules instead, there is basically no slowdown whatsoever).
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it